[ISN] BlackBerry Reveals Bank's Secrets

From: InfoSec News (isnat_private)
Date: Tue Aug 26 2003 - 05:58:08 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - August 25th 2003"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.wired.com/news/business/0,1367,60052,00.html
    
    [Sad thing is few if any companies will heed the lesson in this story
    by enforcing their employees to keep their PDA's locked, encrypted, or
    afterward, clean of proprietary information once they've left the
    company. I one thing I do see happening out of this story is the
    prices of used Blackberry's will be going up on eBay with buyers
    competing with each other hoping to score that "next" million dollar 
    PDA chock full of corporate and government secrets.  - WK]
    
    
    By Kim Zetter
    Aug. 25, 2003
    
    The eBay ad read "BlackBerry RIM sold AS IS!" So Eugene Sacks (not his 
    real name), a Seattle computer consultant who always wanted one of the 
    pager-size devices to check his e-mail, sent in a bid. For just 
    $15.50, he bought the wireless device with 4 MB of memory. 
    
    The BlackBerry didn't come with a cable, synching station, software or 
    a manual. But it did come with something even more valuable: a trove 
    of corporate data. 
    
    After popping a battery into the BlackBerry's back panel, Sacks 
    discovered a few things the previous owner wouldn't have wanted him to 
    see -- more than 200 internal company e-mails from financial services 
    firm Morgan Stanley and a database of more than 1,000 names, job 
    titles (from vice presidents to managing directors), e-mail addresses 
    and phone numbers (some of them home numbers) for Morgan Stanley 
    executives worldwide. 
    
    It was all there to read, Sacks said, the minute he turned on the 
    device. 
    
    The seller, who asked to remain anonymous, was a former vice president 
    of mergers and acquisitions for Morgan Stanley who'd left the company 
    months earlier. 
    
    "If I were Morgan Stanley, I'd be embarrassed," said a source who is 
    an expert in the financial industry. "You should not be able to get 
    that kind of information paying $16 on eBay." 
    
    Companies mentioned in the e-mails include technology firms, shipping 
    firms, telecoms and accounting agencies. 
    
    The incident serves as a cautionary tale about the ways companies fail 
    to manage sensitive data despite public assurances to the contrary. It 
    also shows how employees who are entrusted with confidential 
    information are often insufficiently trained about the simple yet 
    sophisticated technologies they use. 
    
    In addition to personal e-mails that reveal the VP's own Charles 
    Schwab IRA account numbers, the name and phone number of his mother 
    and the amounts he paid for his monthly mortgage, car and Visa bills, 
    the e-mails discuss confidential information about loan terms for 
    Morgan Stanley clients, debt-restructuring strategies for specific 
    companies, preliminary talks for potential merger deals and even some 
    creative ways of interpreting contracts. 
    
    In the latter category, an e-mail exchange between two Morgan Stanley 
    employees discusses a client who seems to want to step around the 
    terms of a contract signed with a third party. A Morgan Stanley 
    employee advises telling the company to stay "aboveboard" and follow 
    the letter of the contract. 
    
    "They're asking you to act in something less than good faith it seems 
    to me. Not wise. Better to have everything aboveboard and 
    disclosed...." advises the one employee to another in e-mail. 
    
    The VP who sold the BlackBerry told Wired News he didn't know the 
    information was on the device. He said he removed the battery months 
    ago, and assumed that everything had been erased. 
    
    But Morgan Stanley said he violated a contract he signed promising to 
    destroy or return any proprietary information. 
    
    "On the last day of employment the employee must remove and destroy 
    any confidential information in their possession and return any mobile 
    devices and any portable media belonging to the firm," said Diana 
    Quintero, a company spokeswoman. "When people leave and they sign 
    these papers, they're reminded of this policy." 
    
    While much of the information on the BlackBerry pertains to deals that 
    are now public and thus no longer sensitive, the financial expert said 
    it's simply a matter of luck that none of the e-mails contained 
    information that could now be traded for profit on the stock market. 
    Had the VP sold the BlackBerry after leaving his job months ago, some 
    of the deals would still have been pending. 
    
    For instance, a series of e-mails discusses debt restructuring for one 
    of Morgan Stanley's clients -- in all likelihood so that the client 
    could raise capital to purchase a competitor. Judging from public 
    information about the companies, that particular deal never went 
    through, but the company did purchase a second competitor a few months 
    later. 
    
    Had anyone obtained information about the merger before it occurred, 
    they could have thwarted the deal by offering a higher bid for the 
    target company or could have bought stock in the target company and 
    waited for the purchasing bid to spike its value. 
    
    "It's a violation of confidentiality, and it would really piss off the 
    client if anybody found out about it," said the financial expert. 
    "That's not something you ever want to be public until it's a done 
    deal." 
    
    In addition to information contained in the body of the e-mails, there 
    are numerous attachments that contain proprietary PowerPoint 
    presentations, financial spreadsheets and case studies about finished 
    deals that would interest any Morgan Stanley competitor who wanted to 
    know how the firm conducts deals. 
    
    Because the attachments are stored on a server and not on the 
    BlackBerry itself, though, no one can view them now that the VP's 
    e-mail account is closed. But had the VP misplaced his BlackBerry 
    while still an employee, someone could easily have read the 
    attachments, too. The VP told Wired News that he never locked his 
    BlackBerry with a password, and the device doesn't have encryption 
    capabilities to let users scramble data stored in its memory. 
    
    Paige Steinbock, a partner in headhunting agency Korn/Ferry 
    International, called the database of Morgan Stanley employee names 
    and home phone numbers "a virtual gold mine of information." 
    
    Steinbock said headhunters regularly purchase directories of alumni 
    associations and professional groups to track executives to hire. But, 
    she said, "having something electronic like that address book would 
    obviously speed up the process in terms of having accurate, 
    identifiable names and numbers of people you're trying to target." 
    
    An address database can also aid corporate spies and hackers who want 
    to piece together an organizational chart of company executives. 
    Knowing the name, title and e-mail address of a managing director, a 
    hacker can spoof the account and send correspondence as an executive. 
    Someone posing as a managing director in the New York office, for 
    instance, could contact a secretary in the Chicago office and request 
    a company file be e-mailed to his home address. 
    
    The VP who sold the BlackBerry said he had no idea data could remain 
    on a device long after the battery was removed. 
    
    "It didn't even occur to me that it would have this stuff still on 
    there because it had been lying around for a long time without a 
    battery in it," he said. "Had I known there was anything on it, I 
    wouldn't have sold it." 
    
    The VP acknowledged he signed papers saying he needed to return 
    company property. But the BlackBerry didn't belong to the firm. Morgan 
    Stanley employees generally buy their own BlackBerries through a plan 
    offered by the firm. The one the VP bought was shipped directly to 
    Morgan Stanley's IT department, which set up the software and service 
    on the BlackBerry before giving it to him. 
    
    "I paid (for it) on my credit card and they handed it to me in working 
    order," said the VP. 
    
    The large address book containing employee job titles and home phone 
    numbers was already loaded on the device when he received it, he said. 
    
    "Usually what happens when someone leaves, they hand in their 
    BlackBerry, everything is erased, and then we give it back to them," 
    said Morgan Stanley's Quintero. "Obviously that didn't happen in this 
    case." 
    
    Quintero said that while the VP may have sold the information 
    accidentally, he still violated company policy. And even though the 
    company knew he possessed the BlackBerry, she said the onus was on him 
    to bring it forward to be cleaned. 
    
    "We trust employees with a lot of sensitive information; that's why we 
    have these procedures in place. Someone who is in mergers and 
    acquisitions and is a vice president should be very aware of his 
    responsibilities," she said. 
    
    But Korn/Ferry's Steinbock said, "If they were vigorously wanting to 
    protect their intellectual property, I would hardly think that's 
    enough. 
    
    "Since it's information that would harm them, not him, it's perplexing 
    that they wouldn't be more aggressive about retrieving that 
    information and follow up with him. The company obviously doesn't have 
    controls in place to take care of its own intellectual property, and 
    that's really their fault," she said. 
    
    In fact, the VP said that when the company closed his e-mail account 
    on his last day of work, he thought any data on the BlackBerry would 
    be deleted remotely by the server. "I just assumed it was all taken 
    care of," he said. 
    
    Courtney Flaherty, a spokeswoman for Research in Motion, the company 
    that manufactures the BlackBerry, said there are two ways to wipe data 
    on a BlackBerry -- either manually using the synching software, or 
    remotely through a command that gets pushed out from the server to the 
    device. But that only works if a company uses the Microsoft Exchange 
    server. Morgan Stanley uses Lotus Domino. 
    
    This is not the first time an individual or organization inadvertently 
    sold sensitive data with a used system. Last year a Veterans 
    Administration medical center sold or donated to schools 139 used 
    computers that turned out to contain credit card numbers and medical 
    data for patients afflicted with AIDS and mental health conditions. 
    
    Recently MIT researchers purchased (PDF) used hard drives from 
    computer resellers and eBay auctions to see how many drives contained 
    recoverable data. Out of 129 drives they examined, only 12 had been 
    properly cleaned. One hard drive contained 3,722 deleted credit-card 
    numbers that were easily recoverable. And another drive, which 
    appeared to come from an ATM machine, showed no evidence that the bank 
    had tried to erase it. It still contained the ATM's log of customer 
    account numbers and balances. 
    
    The incident with Morgan Stanley highlights the risk of disseminating 
    data on handheld devices. With so many PDAs and mobile phones sold 
    secondhand each year, there are likely numerous cases that have never 
    become known. 
    
    Judging from the windfall of info captured on the VP's BlackBerry, the 
    financial expert interviewed for this story said he could only imagine 
    the wealth of information people could gather if they placed ads for 
    used BlackBerries online and waited for the devices to roll in. 
    
    Of course, information leaks occur in non-technical ways as well, he 
    noted. Employees take paperwork home all the time. But new technology, 
    he said, "makes it more efficient (and) compact" to transport lots of 
    data at once. As a result, a higher volume of information can be 
    captured in a single device than if someone simply left a briefcase 
    behind on the subway. 
    
    >From employees who willfully take data with them when they leave a job 
    to those who are simply neglectful, he said banks lose confidential 
    information all the time. "We don't make a big deal about it, we never 
    tell anybody about it, but that's the bottom line," he said. 
    
    Guy Diament, a senior systems engineer in New York, said it's up to 
    companies to communicate with employees about secure computing and to 
    train them to use passwords as well as encryption when available. "But 
    they can't just encrypt files at work. If an employee syncs files to a 
    laptop, a handheld or a home computer, then the files have to be 
    encrypted there if possible." 
    
    "The bottom line," he said, "is that as long as a company allows 
    employees to duplicate and triplicate company files on devices that 
    leave the office, it cannot ensure that its information won't ever get 
    out. It can only strive to protect itself." 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 09:56:05 PDT